The following commands allow you to configure Network Access Protection (NAP) client from the nap client context of netsh.

NAP client commands

The following entries provide details for each command.

add server

Adds the uniform resource locator (URL) of a Health Registration Authority (HRA) server to a trusted server group.

Syntax

add server [ group = ] group [ url = ] url [ [ processingorder = ] processingorder ]

Parameters
group

Required. Specifies the name of the trusted server group to which you want to add an HRA server.
url

Required. Specifies the URL of an HRA server that you want to add to the trusted server group. If the trusted server group requires server verification (https:), then the URL must contain the https:// prefix.
processingorder

Optional. Designates the processing order of the HRA URL in the list of URLs in the trusted server group. If you do not specify the processing order, the URL is added to the end of the list and is processed last.
Example

add server group = "group1" url = "url1" processingorder = "1"

add trustedservergroup

Adds a trusted server group.

Syntax

add trustedservergroup [ name = ] name [ [ requirehttps = ] ENABLE | DISABLE ]

Parameters
name

Required. Specifies the name of the trusted server group that you want to add to the NAP client configuration.
requirehttps

Optional. Specifies whether server verification (https:) is required for all servers in this group. If not specified, https: is enabled by default.
Example

add trustedservergroup name = "group1" requirehttps = "ENABLE"

delete server

Deletes the URL of an HRA server from the specified trusted server group.

Syntax

delete server [ group = ] group [ url = ] url

Parameters
group

Required. Specifies the name of the trusted server group from which you want to remove an HRA server.
url

Required. Specifies the URL of the HRA server that you want to remove from the trusted server group.
Example

delete server group = "group1" url = "url1"

delete trustedservergroup

Deletes a trusted server group.

Syntax

delete trustedservergroup [ name = ] name

Parameters
name

Required. Specifies the name of the trusted server group that you want to remove from the NAP client configuration.
Example

delete trustedservergroup name = "group1"

dump

Creates a script that contains the current NAP client configuration.

Syntax

dump

Remarks

If saved to a file, this script can be used to restore altered configuration settings.

export

Exports an *.xml file that contains the current configuration settings for the NAP client.

Syntax

export [ filename = ] filename

Parameters
Filename

Required. Specifies the file name and folder location where you want to save the *.xml file.
Example

export filename = "c:\config.xml"

help

Displays a list of commands that are available at the netsh context where the command is run, and those inherited from the parent context.

Syntax

help

import

Imports an .xml file that contains configuration settings for the Network Access Protection (NAP) client.

Syntax

import [ filename = ] filename

Parameters
Filename

Required. Specifies the file name and folder location from which you want to import the *.xml file.
Example

import filename = "c:\config.xml"

rename server

Renames the HRA URL of an existing trusted server in the specified trusted server group.

Syntax

rename server [ group = ] group [ url = ] url [ newurl = ] newurl

Parameters
Group

Required. Specifies the name of the trusted server group that contains the HRA server URL that you want to change.
url

Required. Specifies the existing HRA server URL.
Newurl

Required. Specifies the new HRA server URL. If no value is supplied for newurl, the HRA server URL is not changed.
Example

rename server group = "group1" url = "url1" newurl ="url2"

rename trustedservergroup

Renames an existing trusted server group.

Syntax

rename trustedservergroup [ name = ] name [ newname = ] newname

Parameters
Name

Required. Specifies the name of the trusted server group that you want to rename.
Newname

Required. Specifies the new name of the trusted server group.
Example

rename trustedservergroup name = "group1" newname ="group2"

reset configuration

Restores the NAP client configuration to the default settings.

Syntax

reset configuration

reset csp

Sets the cryptographic service provider (CSP) Request Policy to Microsoft Enhanced Cryptographic Provider v1.0.

Syntax

reset csp

reset enforcement

Sets the enforcement client parameter to DISABLED.

Syntax

reset enforcement

reset hash

Sets the hash algorithm Request Policy to sha1RSA (1.3.14.3.2.29).

Syntax

reset hash

reset server

Deletes all URLs in a specified trusted server group.

Syntax

reset server [ group = ] group

Parameters
Group

Required. Specifies the name of the trusted server group.
Example

reset server group = "group1"

reset tracing

Sets the tracing parameter to DISABLE.

Syntax

reset tracing

reset trustedservergroup

Deletes all trusted server groups and the list of all health registration authority servers (by URL) contained in each trusted server group.

Syntax

reset trustedservergroup

reset userinterface

Deletes all user interface settings in the NAP client configuration.

Syntax

reset userinterface

set csp

Changes the cryptographic service provider (CSP) in the NAP client configuration. You can display name of the currently available CSPs with the show csps command.

Syntax

set csp [ name = ] name [ [ keylength = ] keylength ]

Parameters
name

Required. Specifies the name of the cryptographic service provider (CSP).
keylength

Optional. Specifies the length of the asymmetric key. The default key length is 2048.
Example

set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

set enforcement

Enables or disables NAP enforcement clients in the NAP client configuration. When NAP enforcement clients are enabled, NAP clients can connect to a network with the same type of enforcement server. For example, if a NAP client has the DHCP enforcement client enabled, the NAP client can connect to your network with a DHCP NAP enforcement server. You must specify one or more enforcement clients. By default, all enforcement clients are disabled.

Syntax

set enforcement [ ID = ] ID [ ADMIN = ] ENABLE | DISABLE

Parameters
ID

Required. Specifies the identifier of an installed enforcement client to be enabled or disabled. You can view a list of available enforcement clients and their associated IDs with the show configuration command.
ADMIN

Required. Specifies the administrative state of the specified enforcement client. You must specify ENABLE in order for a NAP client to connect to a network using the type of NAP enforcement method specified by the ID parameter.
Example

set enforcement ID = 79619 ADMIN = "ENABLE"

set hash

Sets the hash algorithm that will be used on the target computer. You can obtain the object identifier (OID) from the "show hashes" command.

Syntax

set hash [ oid = ] oid

Parameters
oid

Required. Specifies the OID of the hash algorithm. You can specify only one OID.
Example

set hash oid = "1.2.840.113549.1.1.5"

set server

Sets the URL and processing order of an HRA server within an existing trusted server group.

Syntax

set server [ group = ] group [ url = ] url [ processingorder = ] processingorder

Parameters
group

Required. Specifies the name of an existing trusted server group that contains the HRA server that you want to add or modify.
url

Required. Specifies the HRA server URL. If the trusted server group requires server verification (https:), then the URL must use the https:// prefix. If the URL is not found in the specified trusted server group, it will be added.
processingorder

Required. Designates the processing order of the HRA URL in the list of URLs in the trusted server group.
Example

set server group = "group1" url = "url1" processingorder = "1"

set tracing

Specifies whether tracing is enabled and the amount of information that is logged by NAP client. Although both parameters are optional, you must specify at least one parameter.

Syntax

set tracing [ [ state = ] ENABLE | DISABLE [ level = ] BASIC | ADVANCED | VERBOSE ]

Parameters
state

Optional. Specifies whether tracing is enabled or disabled. If you specify ENABLE, NAP client creates a trace log file. If you specify DISABLE, NAP client does not create a trace log file. The default is DISABLE. If you enable tracing but do not specify a value for level, NAP client uses the default level value of BASIC
level

Optional. Specifies the amount of information that is logged by NAP client and that appears in the tracing log file. If you specify BASIC, the least amount of information is logged in the trace log file. If you specify ADVANCED, a greater amount of information is logged in the trace log file. If you specify VERBOSE, all information is logged in the trace log file. The default is BASIC. If you do not specify a value for state, NAP client uses the default state value of DISABLE.
Example

set tracing state = "ENABLE" level = "ADVANCED"

set userinterface

Specifies the NAP client user interface settings. Although all parameters are optional, you must specify at least one parameter.

Syntax

set userinterface [ [ title = ] title [ text = ] text [ image = ] image ]

Parameters
title

Optional. Specifies the title that appears in the NAP client user interface.
text

Optional. Specifies the description that appears in the NAP client user interface.
Image

Optional. Specifies the image that appears in the NAP client user interface.
Example

set userinterface title = "My company" text ="Protecting your computer" image = "c:\Logo.jpg"

show configuration

Displays configuration settings and state information for NAP client, including CSP, enforcement client, tracing, and trusted server group configurations.

Syntax

show configuration

show csps

Displays all available cryptographic service providers (CSPs) on the target system. Use this command to obtain the names that you can use in the add csp and delete csp commands.

Syntax

show csps

show grouppolicy

Displays Group Policy configuration settings and state information for NAP client.

Syntax

show grouppolicy

show hashes

Displays all available hash algorithms on the target system. Use this command to obtain the OIDs that you can use in the add hash and delete hash commands.

Syntax

show hashes

Example

Following is an example of the information displayed when you run the show hashes command at the netsh nap client prompt.

Hash OID

sha1RSA

1.2.840.113549.1.1.5

md5RSA

1.2.840.113549.1.1.4

sha1DSA

1.2.840.10040.4.3

sha1RSA

1.3.14.3.2.29

shaRSA

1.3.14.3.2.15

md5RSA

1.3.14.3.2.3

md2RSA

1.2.840.113549.1.1.2

md4RSA

1.2.840.113549.1.1.3

md4RSA

1.3.14.3.2.2

md4RSA

1.3.14.3.2.4

md2RSA

1.3.14.7.2.3.1

sha1DSA

1.3.14.3.2.13

dsaSHA1

1.3.14.3.2.27

mosaicUpdatedSig

2.16.840.1.101.2.1.1.19

sha1NoSign

1.3.14.3.2.26

md5NoSign

1.2.840.113549.2.5

sha256NoSign

2.16.840.1.101.3.4.2.1

sha384NoSign

2.16.840.1.101.3.4.2.2

sha512NoSign

2.16.840.1.101.3.4.2.3

sha256RSA

1.2.840.113549.1.1.11

sha384RSA

1.2.840.113549.1.1.12

sha512RSA

1.2.840.113549.1.1.13

RSASSA-PSS

1.2.840.113549.1.1.10

sha1ECDSA

1.2.840.10045.4.1

sha256ECDSA

1.2.840.10045.4.3.2

sha384ECDSA

1.2.840.10045.4.3.3

sha512ECDSA

1.2.840.10045.4.3.4

specifiedECDSA

1.2.840.10045.4.3

show state

Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents, and the client compliance and remediation results.

Syntax

show state

show trustedservergroup

Displays all trusted server groups and the HRA server URLs in each group.

Syntax

show trustedservergroup

Example

Following is an example of the information displayed when you run the show trustedservergroup command at the netsh nap client prompt.

Setting Value

Group

Trusted server group 1

Require Https

Enabled

URL

https://www.example.com

Processing order

1

Group

Trusted server group 2

Require Https

Enabled

URL

https://www.contoso.com

Processing order

1

Group

Trusted server group 2

Require Https

Enabled

URL

https://www.example.com

Processing order

2